P2P-Worm.Win32.Scranor

Class P2P-Worm
Platform Win32
Description

Technical Details

This worm spreads via the Kazaa and iMesh file-sharing networks, and also via IRC.

The worm itself is a Windows PE EXE file, approximately 12KB in size.

Installation

Once launched, the worm creates a folder called “Sys32i” in the Program Files directory, and copies itself to this file as “Scran.exe”.

This file is registered in the system registry as a key to enable autorun:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
  W32.Scran = %ProgramDir%sys32iScran.exe

This ensures that the worm will be launched each time the system is rebooted.

The worm creates several more copies of itself under the following names:

Age of Empires crack.exe 
Age of Empires.exe
CD Key.exe 
Counter Strike 6.exe
Counter Strike.exe
Grand Theft Auto 3 CD2 ISO.exe
Half-Life.exe
Hotmail account cracker.exe
Hotmail Hack.exe
KeyGen.exe
Microsoft Office.exe
Norton Anti Virus 2004.exe
Norton Anti Virus 2005.exe
Norton Anti Virus Crack.exe
Norton Firewall.exe 
Norton Internet Security 2004.exe
Partition Magic 8.exe
Playstation 2.exe
Resident Evil.exe
Scran.cpl
Tomb Raider.exe
Trojan Remover.exe
Windows XP Home.exe
Yahoo Hack.exe
ZoneAlarm Firewall Pro.exe

This folder will be shown in the system registry as Local Content for Kazaa and iMesh:

[HKCUSoftwareKazaaLocalContent]
[HKCUSoftwareKazaaTransfer]
  "dir0" = "012345:%ProgramDir%sys32i"
[HKCUSoftwareiMeshClientLocalContent]
  "dir0" = "012345:%ProgramDir%sys32i"

These files will then be accessible to other users of the P2P networks.

The worm creates an identifier “W32.Scran-Worm” to flag its presence in the system.

Propagation via IRC

The worm searches the victim machine for an IRC client. If it detects one, it will change the contents of the “script.ini” file so that the worm will be passed to all users who enter IRC channels used by the infected machine.

Other

The worm will download a file named “botnet.jpg” from http://www.freewebs.com. This file will be saved in the C: root directory as “botnet.exe”. This file contains the latest version of Backdoor.Win32.Rbot.gen.

On the 1st January, the worm will cause a dialogue box containing the following text to be displayed on the screen:

Ha?
Happy New Year W32.Scran!!